XDR vs EDR: Which Is Better for Your Organisation?
“EDR Is Dead, Long Live XDR,” wrote Forrester researcher Allie Mellen in her 2021 report on XDR.
Seen by many as the natural evolution of endpoint detection and response (EDR), extended detection and response (XDR) is slowly gaining in popularity. Although only 12% of cybersecurity decision-makers have adopted XDR to date, 77% plan on doing so in the next two years, found a recent CyberRisk Alliance (CRA) survey.
Both EDR and XDR aim to help organisations detect and respond to threats faster. However, instead of just focusing on endpoints, XDR promises to give defenders a more holistic view of threats across their entire digital estate.
So, has EDR done it’s time? Not necessarily. Although XDR is predicted to have a rosy future, the uptake of EDR solutions is also on the rise. Between 2020 and 2030, the global EDR market is expected to expand at a compound annual growth rate of 21%, surpassing a $13.8 billion valuation by 2030.
Still, as the hype around XDR continues, anyone looking to defend their organisation may now be wondering: is XDR the new EDR? While XDR promises a lot, companies looking to improve their threat detection and response capabilities should also consider other security automation solutions like SenseOn. Here’s why.
The Rise (And Fall) of EDR Tools
Endpoint detection and response (EDR) refers to solutions that detect, investigate, and remediate threats on endpoints, i.e., all devices that connect to and from a corporate network.
According to Gartner, who came up with the term in 2013, any EDR tool needs to provide four capabilities: detect security incidents, investigate suspicious behaviour, block malicious activity at the endpoint, and offer remediation steps.
Unlike traditional endpoint security tools such as firewalls or antivirus, which depend on signatures and attack patterns to detect malware, EDR solutions are behaviour-based and can recognise even unknown threats.
Unsurprisingly, as attackers evolve their methods and the number of endpoints at a typical organisation grows, companies are beginning to see EDR as an integral part of their security posture. Gartner predicts that by 2023, more than 1 in 2 businesses will have swapped out their legacy security software for combined EDR and endpoint protection platforms (EPP).
However, because the endpoint isn’t the only attack vector, relying solely on EDR can leave companies exposed to attacks that start elsewhere (network, the cloud, etc.) or that use lateral movement. In a recent experiment, 11 EDR products from well-known security providers failed to detect 10 out of 20 attacks.
Even when organisations use other sources of telemetry, like network detection and response (NDR), these tools are seldomly integrated, which means that defenders still lack a complete view into the enterprise.
The more tools an organisation has, the more alerts security teams get, and the longer it takes them to detect, investigate, and respond to threats. In a survey by CRA Business Intelligence (sponsored by eSentire and Exterro), almost 50% of respondents said lack of visibility/context from current security solutions resulted in them missing at least one security incident in the last 12 months.
Is XDR the Next Big Thing?
The main difference between extended detection and response (XDR) and EDR is that XDR protects more than just endpoints.
Coined in 2018 by Palo Alto Networks, XDR applies EDR principles across an organisation’s entire infrastructure, integrating multiple point solutions. Among others, these may include EDR, EPP, NDR, mobile threat detection, cloud workload protection, email security, and deception. The precise capabilities of any XDR solution will depend largely on the vendor offering it and their existing product catalogue.
Created to address product sprawl and alert fatigue, XDR solutions centralise threat data from multiple security products into a single user interface and correlate it to find behaviour that might have gone unnoticed.
For many security teams, this is a huge plus. Almost half of infosec professionals across various industries would consider replacing individual point tools with XDR.
XDR or EDR? Why Not SenseOn?
For any organisation that doesn’t yet have an EDR solution in their toolstack, XDR might make a lot of sense. Although the relationship between EDR and XDR is, to quote former Research VP and Analyst Anton Chuvakin, currently “under debate,” security analysts like Allie Mellen of Forrester view XDR as a replacement of EDR, or, to be more precise, “EDR++.”
Regardless of whether you go with vendor-specific XDR or open XDR, EDR is the “most pivotal and defining piece” of this new technology. Some EDRs have already rebranded as XDRs.
However, if a company’s primary interest in XDR is to improve their detection and response by unifying their security stack (which is one of the technology’s main benefits), they should tread carefully. Right now, the XDR market is still fuzzy. There is a lack of general consensus of what XDR is, for example, the tools it encompasses and even if it’s a “real” market. Some vendors have also been quick to capitalise on this latest trend without actually putting in the work. Gartner anticipates that by 2023, close to 1 in 3 EDR and SIEM providers will say they have XDR capabilities despite lacking core XDR functions.
Nevertheless, while XDR might not be there just yet, that doesn’t mean that companies have to wait for the market to mature (or for something else to come along) before they can replace multiple point solutions with one uniform platform and improve visibility.
A cohesive platform that displaces the need for multiple tools by consolidating EDR, NGAV, NDR, IDS, SIEM, and SOAR, SenseOn correlates data from across an organisation’s entire infrastructure (endpoints, networks, cloud infrastructure, and investigator microservices) to give a 360 degree view into a company’s digital estate via a single console.
On the other hand, SenseOn’s “AI Triangulation” technology emulates how a human analyst thinks to ensure that defenders are not drowning in a sea of false-positives.
Correlating events across the environment, SenseOn flags only genuine threats, breaking down the relationship between events and devices and mapping suspicious behaviour to the MITRE ATT&CK framework.